A security researcher has found a way to tinker with Windows’ core settings while persuading users to accept the changes, it emerged this week – and Microsoft has no intention of patching the issue.
The attack was discovered by John Page, who goes by the name hyp3rlinkx. It focuses on the Windows registry, which is a database of configuration settings for software programs, hardware devices, user preferences and the operating system itself.
Users can make changes to the registry using the Registry Editor program that ships with Windows, but this isn’t something that non-power users would normally do. Messing with the registry can cripple your machine or introduce security risks.
In most cases, when a Windows user really must make changes to the registry, they’ll do it by clicking on a file with a .reg extension. These files, provided by a trusted third party, alter the registry without the user having to enter anything.
This is why a dialog box appears when opening a .reg file, asking users if they trust the source and if they want to continue. It will then offer a ‘yes’ or ‘no’ choice.
Page’s attack changes that. In a document describing the process, he explains:
…we can inject our own messages thru the filename to direct the user to wrongly click “Yes”, as the expected “Are you sure you want to continue?” dialog box message is under our control.
He does this by using a carefully-crafted filename that uses characters encoded with the % symbol. The right character combination can delete the warning message and questions in the dialog box, replacing it with text that the attacker has put in the .reg filename. He continues:
This spoofing flaw lets us spoof the “Are you sure you want to continue?” warning message to instead read “Click Yes” or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.
Users of older Windows versions may still get suspicious, because pre-Windows 10 versions present a second dialog box confirming the registry change. However, Page was able to get rid of that box in Windows 10 by including a character combination to indicate null at the end of the filename.
The attack works with non-privileged (that is, non-administrator) users. If attempted by a user with administrator privileges, it will launch a User Account Control (UAC) dialog box asking if they want to make changes to the machine, Page points out in his description. This means an attacker would have to bypass UAC somehow to successfully compromise a user with administrative privileges.
Microsoft wasn’t impressed, Page reported. The company told him:
A registry file was created with the title you suggested, but the error message was clear.
Threatpost received a response from Microsoft senior security director Jeff Jones, explaining:
The issue submitted does not meet the severity bar for servicing via a security update.
A successful registry change could enable an attacker to change a variety of settings including file associations, Control Panel settings, and windows components. The registry is also a popular destination for malware droppers, which can store code there enabling malware to persist by running automatically on startup.